View Source Ash.Policy.Authorizer (ash v3.2.6)

An authorization extension for ash resources.

To add this extension to a resource, add it to the list of authorizers like so:

use Ash.Resource,
  ...,
  authorizers: [
    Ash.Policy.Authorizer
  ]

A resource can be given a set of policies, which are enforced on each call to a resource action.

For reads, policies can be configured to filter out data that the actor shouldn't see, as opposed to resulting in a forbidden error.

See the policies guide for practical examples.

Policies are solved/managed via a boolean satisfiability solver. To read more about boolean satisfiability, see this page: https://en.wikipedia.org/wiki/Boolean_satisfiability_problem. At the end of the day, however, it is not necessary to understand exactly how Ash takes your authorization requirements and determines if a request is allowed. The important thing to understand is that Ash may or may not run any/all of your authorization rules as they may be deemed unnecessary. As such, authorization checks should have no side effects. Ideally, the checks built-in to ash should cover the bulk of your needs.

Summary

Types

t()

Functions

alter_sort(sort, authorizer, context)
expr_check(expr)
print_tuple_boolean(v)

Types

Link to this type

t()

View Source 
@type t() :: %Ash.Policy.Authorizer{
  action: Ash.Resource.Actions.Action.t(),
  action_input: Ash.ActionInput.t() | nil,
  actor: term(),
  changeset: Ash.Changeset.t() | nil,
  check_scenarios: [map()],
  context: map(),
  data: term(),
  data_facts: map(),
  domain: Ash.Domain.t(),
  facts: map(),
  policies: [term()],
  query: Ash.Query.t() | nil,
  real_scenarios: [map()],
  resource: Ash.Resource.t(),
  scenarios: [map()],
  subject: Ash.Query.t() | Ash.Changeset.t() | Ash.ActionInput.t()
}

Functions

Link to this function

alter_sort(sort, authorizer, context)

View Source
Link to this function

expr_check(expr)

View Source